WordPress Security Plugins – Do You Need Them?

With Google delivering over 22 million results for “WordPress security plugins” and over 1,000 security plugins listed on the official WordPress plugins page, there’s no denying their popularity. But the real question is – do you really need one on your site to begin with? 

By virtue of their naming alone and what they’re advertised as being able to do for your site, some solutions in this space are positioning themselves as must-have plugins to ensure WordPress operates safely. Presumably, so that you can stop worrying about security entirely. 

This is far from reality.

In fact, using a poorly built WordPress security plugin can actually slow down your site – adding functionality that should realistically happen on the network level before the request even needs to be processed by your server.

So, without further ado, let’s dive right in.

Do You Need a WordPress Security Plugin? 

Every website is a potential target for malicious hackers – some a bigger targets than others. This is no secret.

The popular publication Fast Company recently (at the time of writing) had their systems breached by someone who proceeded to send offensive Apple News notifications. 

People trying to gain access to sites with malicious intent don’t necessarily target larger businesses. Small and medium-sized businesses could potentially represent an easier target if they assume this, perhaps taking fewer precautions as a result.

Beyond the hassle of dealing with the situation, time wasted, and loss of revenue that your site could have generated while it remained inaccessible, companies have a legal obligation to protect customer information. This obligation comes with the risk of regulatory action.

It goes without saying that nobody wants to be the victim of an attack. But given that the global ecosystem of WordPress sites was independently valued at approximately $635.5 billion (USD) – it’s no surprise that selling the promise of security has proven to be a good business opportunity.

How Do Hackers Attack WordPress Sites

WordPress is open-source, so vulnerabilities that are discovered in the WordPress core and any themes or plugins eventually become public knowledge. Unfortunately, this can happen before WordPress is able to issue a patch for the vulnerability, creating a window of opportunity for those with ill intentions. Bad actors are well aware of this opportunity, allowing them to begin automatically targeting sites that could be running the vulnerable theme or plugin – to see what’s possible.

Even without these vulnerabilities, it’s quite common for both people and bots to use brute force attacks to try to gain access to a site. This involves sending multiple login requests repeatedly in an effort to identify user accounts that use default or common username and password combinations.

There are many possible ways in which a WordPress site can be hacked, which is why a broad approach at the server level is so important. Some of the most likely hacking risks include the following:

Brute Force Attacks: This type of attack involves repeatedly trying different username and password combinations in an attempt to gain access to a site’s admin panel.

SQL Injection: This type of attack involves injecting malicious code into a website’s database, which can then be used to steal sensitive information or disrupt the site’s functionality.

Cross-Site Scripting (XSS): This type of attack involves injecting malicious code into a website, which is then executed by the user’s browser. This can be used to steal sensitive information, such as login credentials, or to redirect users to a malicious website.

File Injection: This type of attack involves uploading malicious files to a website, such as backdoors or malware. These files can then be used to gain unauthorized access to the site.

Outdated software: If a website is not updated regularly, it may have vulnerabilities that can be exploited by hackers.

Phishing: This type of attack tricks the users into providing sensitive information such as login credentials, credit card numbers, and other personal information by creating a fake login page.

Why Security Plugins Are Not The Smart Choice

By virtue of how plugins work, they only function once a request reaches the server. This means that it is only possible for the security plugin to challenge things at a PHP level. For example, this could include a login with some mechanism to prevent possible unauthorized access once the server has received the request.

The result of this is, of course, consuming additional server resources on every request to the server as it sits in between the request and the beginning of processing the output. Evidently, this isn’t even foolproof: pluginvulnerabilities.com tested 31 security plugins against a zero-day vulnerability, and only 6 of them were able to fend off the attack.

WordPress security plugins need to be fully loaded before they can start processing traffic. This means that these plugins will consume resources even if your website isn’t under attack.

It’s also not unheard of for WordPress security plugins themselves to have their own vulnerabilities, and these can also be exploited by hackers.

For example, Wordfence, a popular security plugin with over 4 million users, has reported multiple vulnerabilities, such as Cross Site Scripting and Broken Access Control, over the years. These vulnerabilities were quickly patched, but this doesn’t change the fact that the systems were exposed, albeit for a short while.

There is also the danger that security plugins can create a false sense of security. It has been the case before that a site administrator installed a popular security plugin, believing that it would protect their site from all types of attacks, going on to neglect other important security measures such as regular software updates, strong passwords, two-factor authentication, and backups.

Another issue we’ve seen is where security plugins cause compatibility issues with existing themes or other plugins. In some cases, this conflict can result in leaving your site vulnerable to attack.

And it’s also quite common to experience false positives by using security plugins. Overeager plugins can flag legitimate actions as malicious, which can lead to false alarms and inconvenience to administrators and users.

The bottom line is that when it comes to the security of your WordPress site, there is no plugin solution you can use to set-it-and-forget-it. Security is an evolving, organic beast that needs constant vigilance.

Are There Any Security Plugins Worth Using? 

So, how do you protect a WordPress website? 

To begin with, work with a WordPress hosting provider that brings competence in security, scaling, and performance – the way we do at Servebolt. We do the heavy lifting related to keeping the underlying infrastructure for your sites fully secure.

Beyond this, you want all malicious (and potentially malicious) requests to be blocked before they even reach your server – before they have the opportunity to consume resources so that you can deliver the best possible experience for real website visitors. 

One example of this type of solution is Cloudflare. Cloudflare is a company that provides a variety of internet security services, including a Content Delivery Network (CDN), Domain Name System (DNS), and a Web Application Firewall (WAF). These services work together to protect websites from several forms of cyberattack, such as DDoS attacks, SQL injection, and cross-site scripting (XSS). Cloudflare also offers additional features such as SSL/TLS encryption, as well as a bot management system to enhance the security of a website further.

At Servebolt, in addition to this approach, we offer two managed proactive services, Accelerated Domains, and Servebolt CDN, that can harden your website’s security. They are built on top of Cloudflare’s Enterprise offering, and we give two free domains to all customers who sign up.

We use both server-based security products, as well as building on top of the WAF from Cloudflare when that is implemented through us. We add additional security measures to reduce the hack attempts, as well as prevent direct access to the server when using Cloudflare to reduce brute-force hacking attempts. These measures are configured to block potentially harmful requests automatically and don’t require any configuration or maintenance.

That aside, some plugins can improve the security of your site, although these in no way provide a one-stop solution:

  • Two-Factor: This Plugin is developed by the WordPress team, and it enables Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email, and backup verification codes.

If your credentials are leaked on the internet, your server can be breached even if most of the malicious traffic is blocked by a firewall. We strongly recommend using two-factor authentication to deter bad actors.

An alternative that we use at Servebolt is Cloudflare Access

  • Patchstack & WPScan: A vulnerability scanner such as Patchstack or WPScan can be helpful in keeping track of vulnerabilities. WP Scan, for example, continuously checks for threats to your server against a known database of 37,000+ vulnerabilities maintained by WordPress security professionals. If a threat is detected, it can trigger a notification via email or using a custom webhook with all the necessary information and recommendations for resolving the issue.

Tips For Hardening Your WordPress Site

Using Accelerated Domains or Servebolt CDN secures your site against many well-known attacks. They automatically implement login rate limiting and XML-RPC to secure against malicious brute force attacks on your site’s login page. But you can further enhance your security by implementing the following additional security practices on your website.

Limiting File Access

Each file and folder on your server has access rights associated with it, which specify who can read, write, and execute the given file or directory. Although having open permissions on the public assets of your site might not seem like a big deal, it is definitely bad practice. Moreover, some sensitive files, such as .htaccess and wp-config.php, should be securely locked down.

We recommend that you lock down all sensitive files as much as possible and only briefly loosen these permissions when you absolutely need to.

For .htaccess, you should change the permissions level to 644 – this would grant the owner of the file read-write access, with all other users only able to read the file.

You can restrict these permissions even further for the wp-config.php file by setting the permission mode to either 400 or 440, meaning only the owner (or, optionally, also other members of the selected group) can read the file, while modifications can only be made by the root user.

Let’s take a detailed look at the permission requirements for specific WordPress directories:

  • Root WordPress directory (/):

All files, except for .htaccess, should be writable only by your account – set the permissions mode to 644 for all files except .htaccess.

  • WordPress administration area (/wp-admin/):

All files should be writable only by your account – set the permissions mode to 644 for all files.

  • WordPress application logic (/wp-includes/):

All files should be writable only by your account – set the permissions mode to 644 for all files.

  • User-supplied content (/wp-content/):

This directory is intended to be writable by both you and the web server process – set the permissions mode to 664 for all files.

However, within the /wp-content/ directory, you may find the following:

  • Theme files (/wp-content/themes/):

If you want to use the built-in theme editor, all files need to be writable by the web server process. If you don’t need to use the editor, then all files can be writable only by your user account.

  • Plugin files (/wp-content/plugins/):

All files should be writable only by your user account. However, some third-party plugins might need write access. We recommend you remove write permissions and grant them only to specific plugins on a case-by-case basis.

Disable PHP File Execution in Selected Directories

You can further improve the security of your WordPress website by restricting the execution of PHP files in directories where it’s not necessary.

The first location where you should disable it is your /wp-content/ folder because a user might upload a malicious PHP script and try to run it.

You can disable the PHP execution by creating a file named .htaccess in the desired folder and pasting the following code into it:

<Files *.php>

deny from all


The above code creates a rule that forbids the execution of any PHP files in the specified directory. This means that even if a hacker injects malicious PHP code into a file, it cannot execute on the server, preventing any damage to your website.

Disable Directory Indexing and Browsing

Directory browsing is a feature of web servers that shows all the available files and directories in a given directory of a website. When enabled, anyone on the internet can see all the contents on any path of the website. This is a major security risk as it can reveal confidential information and server configuration.

For example, if someone were to visit https://www.example.com/static, they would be able to see (and download) all the files present in this path. It is highly recommended to turn off this feature. You can do so by appending the following line to your .htaccess file.

Options -Indexes

Use Fail2ban to Stop Brute Force Attacks

Fail2ban is a utility for servers that can dynamically create firewall rules for blocking IP addresses based on a predefined condition. You can use it with WordPress to temporarily block a user if they fail to log in 3 times in a row.

Don’t Use The “admin” Username

To a hacker, an account with administrative privileges is equivalent to the crown jewels – admin accounts can unlock all of the doors on the server. Unsurprisingly, this is the first account that hackers target. It is a good idea to use a different name for this administrator account to make this process harder for them and deter any brute-force attacks.

If you are still using the “admin” username, you should create a second account with a different name and grant it administrator access. Log into your second account – and delete the old admin account.

Restricting Database User Privileges

Database security is of paramount importance for any website. When installing multiple sites on your server, make separate databases and users for each site. This makes it more challenging for intruders to gain access to the complete system and steal personal information.

You should also properly configure MySQL account privileges and disable any unnecessary features, such as remote TCP connection. You can also restrict the login attempts if the database user is not in a whitelisted location. For example, you can block access to root connections if the connection was not initiated on the localhost.

Additionally, WordPress only needs read and write permissions to a MySQL database for normal functions. If you grant only SELECT, INSERT, UPDATE, and DELETE to your database user, everything will still work fine. However, sometimes third-party plugins and WordPress updates might cause errors when they try to alter the database schema or create a new table. Read the release notes and documentation of each plugin carefully if you are using this security measure.

Change The wp-admin URL

To make it more challenging for hackers to launch brute force attacks on your WordPress site, consider changing the default URL of your admin dashboard to something obscure. To do this, you can use a plugin such as WPS Hide Login or Change wp-admin login, which lets you customize your login URL easily.

Disable File Editing

The file editing feature in WordPress allows administrators to edit theme and plugin files from the dashboard directly. Although it’s useful while setting up the site, this can pose a security risk if the administrator account becomes compromised. Disabling the file editing functionality mitigates this risk.

This will also reduce accidental edits and enforce better documentation of the changes, as all new revisions will be tracked on version control and will need to go through testing before going live on the site.

To disable file editing in WordPress, you can add the following line of code to your site’s wp-config.php file:

define ('DISALLOW_FILE_EDIT', true  );

Changing Database Prefix

WordPress uses a common string of text in all table names to make identification easier. Changing this prefix makes it difficult for malicious actors to guess your table names when performing SQL injection attacks and other forms of database exploits.

Although it might seem like a small and insignificant improvement, most of the attacks on the internet are performed by automated bots which only aim for low-hanging fruit. By changing the default value, you can defend against most automated attacks.

Your current database prefix is stored in the wp-config.php file in your WordPress root directory. The default value looks something like this.

$table_prefix = 'wp_';

You can replace the “wp_” prefix with a new, unique prefix of your choice. Keep in mind that you’re only allowed to use letters, numbers, and underscores. For example:

$table_prefix = 'my_custom_prefix_123_';

After you save the changes to the wp-config.php file, you’ll need to manually update the existing SQL tables with the new names. If you aren’t sure how to do this, you can use a plugin such as Brozzme DB Prefix.

Automatically Logout Inactive Users

Implementing an auto-logout feature in WordPress can help improve the security of your site by automatically terminating the sessions of users after a specified period of inactivity. This feature can help prevent unauthorized access to your site in case a user forgets to log out or if they leave their device unattended.

To implement an auto-logout feature in WordPress, you can use a plugin such as Inactive Logout. Doing so will help protect the privacy of users by ensuring that sensitive information is not accessible to unauthorized individuals.

After Action Report – Take Action Today To Protect Your Site & Reputation

30,000 websites are hacked every day, and with WordPress powering 43% of the web, that represents a possible 12,900 WordPress sites being seriously compromised every single day.

Unfortunately, the advice available online detailing how to keep a WordPress site secure is either vague, out of date, or just plain wrong. It’s this bad advice, the reliance solely on third-party plugins, and the assumption that once security is set, you can forget it, that results in so many of these breaches.

Although security is never ‘done,’ it needn’t be a headache, and most of the advice in this article is fairly straightforward for most. Of course, having a strong web hosting company that takes security as seriously as it should is a major first step for most.

Any questions about keeping your WordPress sites secure? Feel free to get in touch with us & we’ll be happy to walk you through how the Servebolt Cloud can help you deliver the best possible experience for your visitors. Or, if this guide’s already answered all your questions and you’re ready to give the Servebolt approach a try…

Interested in managed hosting that’s empirically faster? Try our approach to WordPress hosting:

  • Scalability: In the real user workload tests, Servebolt delivered average response times of 65ms, 4.9x faster response times than the second best.
  • The fastest global load times: Average page load times of 1.26 seconds put us at the top of the list of global WebPageTest results.
  • The fastest computing speed: Servebolt servers provide previously unheard-of database speeds, processing 2.44 times more queries per second than the average and running PHP 2.6 times faster than the second-best!
  • Perfect security and uptime: With 100% uptime on all monitors and an A+ rating on our SSL implementation, you can be assured your site is online and secure.